I need to create an email alert when at a specified period in the day, if our license usage is > #, send an email.
So for example if at 14:00 license usage > 9000, alert
I am using the following search to get my usage.
index=_internal source=*license_usage.log earliest=@d| eval GB=b/1024/1024 | stats sum(GB) by pool | eval used='sum(GB)' | fields used
Also how do I remove the decimals?
index=_internal source=*license_usage.log* type=Usage | bucket _time span=1d | stats sum(b) as bytes by _time, pool | eval GB = round(bytes/1024/1024/1024,5) | eval quota=<your license quota here> | eval "% Used"=round(GB/quota*100,2) | rename GB as "License Util"| table "License Util" "% Used"
I think I figured it out....
This is my search...
index=_internal source=*license_usage.log earliest=@d| eval GB=b/1024/1024/1024 | stats sum(GB) by pool | eval used='sum(GB)' | eval GB_Used_Today=round(used, 0) | fields GB_Used_Today
my custom condition is
search GB_Used_Today > 5
I plan to create and schedule probably about 4 searches throughout the day with the value "search GB_Used_Today > 5" "5" set to something different based on the time the search is run.
My goal is to identify a spike (and possible stop the spike) before it causes a license violation.
I did it this way:
index=_internal sourcetype=license_usage* earliest=@d | eval GB=round(b/1024/1024,0) | stats sum(GB) as used by pool
Not sure which version of Splunk you are using. I did this on 4.2.3
BTW, the fields command would remove the label for the pools, which would not be good if you had multiple license pools. You might also consider adding
| addcoltotals to the end of command line.
This returned no results?
This is what I am using to round
index=_internal source=*license_usage.log earliest=@d| eval GB=b/1024/1024/1024 | stats sum(GB) by pool | eval used='sum(GB)' | eval GB Used Today=round(used, 0) | fields "GB Used Today"